intune macOS ios

It's Out Now! The All New macOS Update Policies in Intune

Overview The feature all Intune admins managing corporate macOS devices have been waiting for a long is out! It appeared on my test tenant, and I could not resist myself to test it out. Let me take you through all these brand-new features and help you configure the policies in

by Somesh Pathak
4 min read
It's Out Now! The All New macOS Update Policies in Intune

Overview

The feature all Intune admins managing corporate macOS devices have been waiting for a long is out!

It appeared on my test tenant, and I could not resist myself to test it out. Let me take you through all these brand-new features and help you configure the policies in Intune to manage macOS software updates for enrolled devices using Automated Device Enrollment (ADE).

What’s new

With this new feature, you will now be able to configure the below update types will include:

  1. Critical updates
  2. Firmware updates
  3. Configuration file updates
  4. All other updates (OS, built-in apps)

In addition to scheduling when a device receives the updates, you’ll be able to manage the following features:

  1. Download and Install: Download or install the update, depending on the current state.
  2. Download only: Download the software update without installing it.
  3. Install immediately: Download the software update and trigger the restart countdown notification.
  4. Notify only: Download the software update and notify the user through the App Store.
  5. Install later: Download the software update and install it at a later time.
  6. Not configured: No action was taken on the software update.

Updates and Upgrades

Apple operating systems use a version numbering scheme to distinguish major upgrades from minor updates. Unlike iOS/iPadOS/TV OS, macOS uses a simple integer (for example, macOS 11 and macOS 12) with a name like Big Sur and Monterey.

Upgrades are released much less frequently than updates and can take a while to install because of their large size. In comparison, updates are more frequently released patches for the current operating system and help protect the device against vulnerabilities. Updates use a second and sometimes a third number to denote increments. For example, iOS 15.1 is an update to iOS 15.

With this new feature, Intune allows you to manage, download, install, or even defer macOS software upgrades and updates remotely.

The Magic Behind These Updates

The MDM solution (Intune) uses the Apple Software Lookup service to be aware of available updates to push the update commands directly to the device.

Earlier Approach:

  1. First, the MDM server gets a list of available updates from Apple, and when the policy is configured and applied correctly, the MDM will send the updated version to the device.
  2. Then the device goes to the Apple lookup server to verify if the update is eligible and begins downloading and installing it.

New Approach:

  1. Apple introduced a new workflow for both macOS & iOS by introducing a new command “SofwtareUpdateModeIID” key. This key returns the hardware model ID to Intune.
  2. The Apple lookup software service will look for the appropriate hardware ID match for macOS, allowing Intune to determine the applicable updates without using the old approach of the AvailabelOSUpdates command.
  3. Intune will then determine the update applicability by comparing the result from the DeviceInformation query to the deviceID returned in the same query.

Once Intune knows which OS update applies to devices, the ScheduleOSUpdate command is used to push to update the macOS. Intune can trigger this command even during a software deferral window also. The five options available now for macOS have their own significance; let’s understand the logic behind each of them:

Download and Install (Immediately)

Thumb Rule: Avoid It!

The InstallASAP command is the default mechanism for the ScheduleOSUpdate command, with a default for InstallAction to download the updates. It downloads the software update and triggers the restart countdown notification. This command may require a restart (if the InstallForceRestart option is used). This may result in data loss on the end user’s device.

Download Only

This command downloads the software update in the background without installing it on the device. It will not start the installation.

All these requests are in json format. Below is the example of a device requesting an update and the response given back:

Request Update:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Command</key>
    <dict>
        <key>RequestType</key>
        <string>ScheduleOSUpdate</string>
        <key>Updates</key>
        <array>
            <dict>
                <key>InstallAction</key>
                <string>DownloadOnly</string>
                <key>ProductKey</key>
                <string>iOSUpdate17A576</string>
                <key>ProductVersion</key>
                <string>13.0</string>
            </dict>
        </array>
    </dict>
    <key>CommandUUID</key>
    <string>0001_ScheduleOSUpdate</string>
</dict>
</plist>
Request Update:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CommandUUID</key>
    <string>0001_ScheduleOSUpdate</string>
    <key>Status</key>
    <string>Acknowledged</string>
    <key>UDID</key>
    <string>00008020-000915083C80012E</string>
    <key>UpdateResults</key>
    <array>
        <dict>
            <key>InstallAction</key>
            <string>DownloadOnly</string>
            <key>ProductKey</key>
            <string>iOSUpdate17A576</string>
            <key>Status</key>
            <string>Downloading</string>
        </dict>
    </array>
</dict>
</plist>

Notify only

Notify only alerts users that there is an action pending for installation. The user is notified about the software update through the App Store. It will also not start the installation.

Install Later

It will allow you to schedule the installation later tonight. The device will usually choose a time between 02:00 and 04:00 based on when the machine is least used to allow the update to install. The update will only install if the device is plugged into the power source.

Conclusion

I hope this article has been insightful in giving you a detailed understanding of how Intune & Apple help you to update your devices. Follow the three-step approach and keep your macOS devices updated with all the latest patches & updates. Recommended approach:

Keep learning and keep sharing.

Stay In(tuned). #intuneinspired

Share This Post

Check out these related posts

Set Sail for Smooth Seas: Effortless Mac Enrollment with Intune

Set Sail for Smooth Seas: Effortless Mac Enrollment with Intune

by Somesh Pathak
Secure, Contain, Protect... Your Mac: Deploy mSCP with Intune

Secure, Contain, Protect... Your Mac: Deploy mSCP with Intune

by Somesh Pathak
A New Era of Device Management: Exploring Microsoft Copilot for Security with Intune

A New Era of Device Management: Exploring Microsoft Copilot for Security with Intune

by Somesh Pathak